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DETECTIMG NETWORK ATTAC!KS 

Technical Field 

The present invention generally relates to detecting network 
attacks emid particularly relates to methods, apparatus, and 
5 computer program elements for detecting attacks on a data 
communications network 

Background of the Invention 

The Internet is a wide area data communications network formed 
from a plurality of interconnected data networks . In 

10 operation, the Internet facilitates data coiranunications 

between a range of remotely situated data processing systems. 
Such data processing systems each typically comprise a central 
processing unit (CPU) , a memory subsystem, and input/output 
(I/O) subsystem, and computer program code stored in the 

15 memory siibsystem for execution by the CPU. Typically, end user 
data processing systems connected to the Internet are referred 
to as client data processing systems or simply clients. 
Similarly, data processing systems hosting web sites and 
services for access by end users via the Internet are referred 

20 to as server data processing systems or simply servers. There 
is a client-server relationship completed via the Internet 
between the end user data processing systems and the hosting 
data processing systems. 

The Internet has become an important communications network 
25 . for facilitating electronically effected coiranercial 
interactions between consumers, retailers, and service 
providers . Access to the Internet is typically provided to 
such entities via an Internet Service Provider (ISP) . Each ISP 
typically operates an open network to which clients subscribe. 
30 Each client is provided with a unique Internet Protocol (IP) 
address on the network. Similarly, each server on the network 
is provided with a unique IP address. The network operated by 
the ISP is connected to the Internet via a dedicated data 
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processing system usually referred to as a router m 
operation, the router directs <r,K«, ^ 

tro. the xntemet to s^'lL cc™.„>nlcation traffic 

Similarly, the router ^rlltTjlTT^"^ °" 

airects outbound communication t-T^ffir^ 
from the network in the direction of specifi.c3 1 
the Internet. specified IP addresses on 



:r:L7o'::::o:r nh:tt::rrt^--^- - 

.0 rrr ^ — - ^^^^^^^^^ 

ae^aaation. ir J:!": L ^rti: :^^"r^:fr~ 

conneetea to the networ. ty,,...Xy\l^::Tslt.^:T 

. technology for ^^^^^Z 
interests of increasing , systems in the 

increasing network performance. 



In accordance with the present Invention, there is nov, 
provided a method for detecting attacks ;n a^ta 
20 communications network having a plurality of !^^esses for 
assignment to data processing systems in the ne^r thf 

Tri" i::r:: " -affic on the :et:::k 

unaL wd L ""^"^ ^^^^ addressed to any 
.naicative of an .....C.ZT:i.Tt ZTZ^T.:' 

Hf hTp::s::: ^entified. . preferred 

0 Of the alert s^l ^"'^"'"-^ -mprises. on generation . 

aierc signal, rerouting any data fr-j.(=f4- • • 
the address assigned to the data LZl ""S^-^ting at 

the data indicative of t"ack T ^-"^ originating 
t.e network. On generatit TlZ llTsZlTT.^^' °" 
message may he sent to the disinfection adLe"; . ^he a,L 
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message may comprise data indicative of the attack detected. 
On receipt of the alert message, a warning message may be sent 
from the disinfection address to the address assigned to the 
data processing system originating the data indicative of the 
5 attack. The warning message may include program code for 
eliminating the attack when executed by the data processing 
system originating the data indicative of the attack. 

Viewing the present invention from another aspect, there is 
now provided apparatus for detecting attacks on a data 

10 communications network having a plurality of addresses for 
assignment to data processing systems in the network, the 
apparatus coii5)rising; an intrusion detection sensor (IDS) for 
identifying data traffic on the network originating at any 
assigned address and addressed to any unassigned address, 

15 inspecting any data traffic so identified for data indicative 
of an attack, and, on detection of data indicative of an 
attack, generating an alert signal. 

The IDS in use preferably inspects the data traffic identified 
through spoofing replies to requests contained in the data 

20 traffic identified. The apparatus may also comprise a router 
connected to the intrusion detection sensor for rerouting, in 
response to generation of the alert signal, any data traffic 
originating at the address assigned to the data processing 
system originating the data indicative of the attack to a 

25 disinfection address on the network. Preferably, the IDS, on 
generation of the alert signal, sends an alert message to the 
disinfection address. The alert message preferably comprises 
data indicative of the attack detected. A preferred embodiment 
of the present invention . further comprises a disinfection 

30 server assigned to the disinfection address, the disinfection 
server sending, on receipt of the alert message, a warning 
message to the address assigned to the data processing system 
originating the data indicative of the attack. 

The present invention also extends to a data communications 
35 network comprising: a plurality of addresses for assignment to 
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data processing systems in the n*.^, ^. 

=s nerein before described. 
The present Invention further exte„,5= ^ 

element ooiw>rising computer ^ computer program 

5 loaded in a processor of TdTt a 

the processor to perform a met^o^"°rf -»"a"res 

data co»,unications network as^f^n w " ' "'^^"^^ °" ^ 

aerexn before described. 

In a preferred embodiment of 

provided a data commurrcatrL T^^^ -vention, there is 
10 for connecting a Plural rt^TdaL ^-Prising, a router 
internet, an ids connected to """=^^"3 to the 

server also connected to the rou^eTT' ' 
detecting that one of the d,^» response to the ids 

^ an attack, the ids Inst^cls r"'""^ ^^"^ ^= ^"'-"^^ 
15 network traffic from that I^tac^ T^f. "° 

The IDS simultaneously supoli!r^ ^xsinfection server, 

disinfection server The ST ! ^ata to the 

the nature of the Tnfl^lon L """^ indicative of: 

system; and how to r«^n:r! T the infecting 

resume normal network connectivity. 

20 There are generally a 3«v„. 

gxven network, m a particulars^ ! addresses on a 

present invention, the ifTt en^diment of the 

directed toward the free IP ^ °" ""^ "traffic 
exist, in the event that a r^^r"'" "° '"^"^ "^^^^^^ -'^""l^ 
« addresses is detected, th^ iTs" f"' °* "^"^ " 

re<;>uest. The free IP addresses ^1^- '""^ 
attempt to contact, for examTL 

IB a priori suspicious. ^Ds'th " ""^'^ ^ 

the spoofed answer, if the ids d " "^^^ '° 

30 the reply, it signals th! rouL Td ' ^^^^^^^ «'ack in 
the infected system to the ClL^.tZ 

IDS is Interactively spoof inaT ^^"^'^ «^<=«"=e, the 

it has an accurate IZ ll ZTZ^T '° '"'^"^ 

are minimized. ^ ^"^^'^^ ^'•"b. 'alse positives 
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Brief DesGription o£ the Plgfuyes 

Preferred embodiments of the present invention will now be 
described^ by way of example only, with reference to the 
accompanying drawings, in which: 

5 Figure 1 is a block diagram of a data processing systems- 
Figure 2 is a block diagram of a data processing network 
embodying the present invention; 

Figure 3 is a block diagram of an intrusion detection sensor 
embodying the present invention; and, 

10 Figure 4 is a flow diagram associated with the intrusion 
detection sensor. 

Detailed Description 

Referring first to Figure 1, a data processing system 
comprises a CPU 10, an I/O subsystem 20, and a memory 

15 subsystem 40, all interconnected by a bus subsystem 30. The 
memory subsystem 40 may comprise random access memory (RAM) , 
read only memory (ROM) , and one or more data storage devices 
such as hard disk drives, optical disk drives, and the like. 
The I/O subsystem 20 may comprise: a display; a printer; a 

20 keyboard; a pointing device such as a mouse, tracker ball, or 
the like; and one or more network connections permitting 
communications between the data processing system and one or 
more similar systems and/or peripheral devices via a data 
communications network. The combination of such systems and 

25 devices interconnected by such a network may itself form a 
distributed data processing system. Such distributed systems 
may be themselves interconnected by additional data 
communications networks* 

In the memory subsystem 40 is stored data 60 and computer 
30 program code 50 executable by the CPU 10. The program code 50 
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sT'^r ""^r ^ application software 
80. The operates, system software 90, when executed by the CPU 
10, provides a platform on which the a.»,Ho=.^- ^ 
can be executed. application software 80 

5 Referring now to Figure 2, in a preferred ea*odi„ent of the 
present invention, there is provided a d,h. 
networ-t inn V, • proviaea a data communications 

network 100 having a plurality of addresses 110 fr.^ 
to data processing systems in the net^rk xn a ""^^^^"^ 
preferred embodiment of the presenH^^In; • ^^""^--1^ 
10 is in the for™ of an Internet IZ! '^^^^-^ "0 

„i„«i . -tntemet service installation havlno a 

Plurality assignable Internet Protocol (IP, addresses ^^0 \ 
network 100 is connected to the Internet 120 vT 

15 by appropriate prograiraning to the task to °®«^cated 
e..*^c in the for. of data packetr^tl™ l^TlT 

^ke^: TZTJ"" °" " specifierL tL 

packets. A first group 140 of the IP addresses 110 on th» 

network 100 are assigned to systems ISO h»i • 
^ the internet service. Bach syllT^sT^TClZ^JZlT 

system as herein before described with reference to IZllT 
A second group 160 of the IP addresses 110 o„ ^"-3^^ 1- 

^ ^ o.'-iv^tssses ±10 on the netwo-rV inn 

are free. More specifically, the second group 160 of IP 
addresses 110 are not assigned to user systems 150. A^ 
25 intrusion detection sensor <IDS, 170 is also conne;t^ to the 
network 100. The IDS 170 is also connected to t^ ro^e^ 130 
^tails Of the IDS 170 will be provided shortly. T^r^ter 
130 IS connected to a disinfection server 180. The 
disinfection server 180 may be iioplemented by a data 
30 p^cessing system as herein before described^with^e^ erence to 

With reference to Figure 3 In a • •. 

en-^odin^t Of the Present ;n::nti:::\ri:ri7r:r^ 

data processing syst«, as herein before deLr Ld ^^^^^ " 
35 -'-ence to Figure 1. The application software 80 ^f the los 
170 includes intrusion detection code 200. The data 60 sLr^ 
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in the memory subsystem 40 of the IDS 170 includes attack 
identity data 210 and disinfection data 220. The data also 
includes a record of which of the IP addresses on the network 
100 are free and which of the IP of the IP addresses on the 
5 network 100 are assigned to data processing systems 100. The 
record is updated each time another IP address is allocated or 
an existing IP address allocation is removed. The attack 
identity data 210 contains data indicative of signatures 
identifying known attacks. The disinfection data 220 contains 

10 data indicative of: the nature of each attack; how to 

disinfect system infected with each attack; and how to resume 
normal network connectivity. The attack identity data 210 and 
disinfection data 220 are cross referenced. The intrusion 
detection code 200^ when executed by the CPU 10, configures 

15 the IDS 170 to operate in according the flow diagram shown in 
Figure 4 . 

Referring now to Figure A, in operation, the IDS 170 
identifies data traffic on the network originating at any 
assigned address 140 and addressed to cuiy unassigned address 

20 160. The IDS 170 inspects any data traffic so identified for 
data indicative of an attack. On detection of data indicative 
of attack, the IDS 170 generates an alert signal. In a 
preferred embodiment of the present invention, on generation 
of the alert signal, any data traffic originating at the 

25 address 140 assigned to the data processing system 150 

originating the data indicative of the attack is rerouted to a 
disinfection address on the network 100 . In a particularly 
preferred embodiment of the present invention, the IDS 170 
listens on the network 100 for traffic directed toward the 

30 free IP addresses 160. Specifically, at block 300, the IDS 170 
examines requests sent from addresses 140 on the network 100 
to determine, at block 310, if the request specifies one of 
the free IP addresses 160 as the destination address • If the 
request does not specify one of the free IP addresses 160, 

35 then, at block 320, the IDS 170 waits for the next request to 
examine. If, however, the request specifies one of the free IP 
addresses 160, then, at block 330, the IDS 170 spoofs an 



CH920030006 

8 



answer to the recmes^ tv,^ 

in use. Thus, any attea^t to contI« f 

such an address Is a prfor-i suar,^^- ' « system at 

5 170 listens for a repL tT t^r 

tl-e out 1, no reply^'r llZAr^lT^T^'' ""^ ^''^ "° 
period, in „M=H case, at ^lo.T.Z^TuJ'ZlT.T'^^ 
next request to exan>ine. if a replv if^ "'^ 
at block 3S0. the IBS 170 colpl^s t^^ s"^"^ 
10 reply With the attac. identity l^L^ro st . ^ 
subsystem 40. if. at block 350 " ^ '"^ ""^O"^ 

Identify an attack th^n t' =°°««^ison fails to 

tbe next r^TsT^ 1:21,^ TlT' '""^ 
block 3S0 detects a aia^osabL attlrr; tt '^""T^^"" 
IS IDS 170 determines that the = ""^P^^' ""e" •*« 

Accordingly, at block 3 s the ::: iTf^ 

signal. The alert sicnal generates the alert 

Signal instructs the^ut:: ZMT^ ™^ ^^-^ 

infected system ISO to the drsLl^" 
20 back to Figure 1 in . ^''*^=">*«=tion address. Referring 

the present invLiL T^llTl' ''^'^"^ ^"'^^'"-^ °* 
the disinfection add^;ss. °° '""^ "° " ^-"-^ " 

gL%::itTthT:rrr-" r ^'^^-"•^ - 

- message to the ^l^ll^TlLT. .'ZZ:^^\T T' 

=::rr: p^- o^~: r - — - 

present invention, the ^^s iv^ enbodi„,ent of the 

220 corresponding to irattack'^rr"'^ disinfection data 
30 subsystem .0. ;.t bloc^ ^.o the lo^ iT "^"^ 
message containing retrieved disl ^ ^^^'^ 
disinfection address at ILh tL dls^nT t'"^ '° ""^ 

-Sides. Then, at block 320, the los i" " '"""^ "° 

request to examine. Each reaues! '"^^ 
35 e^ed in one or morf pleats ;f^T" ''^'^ 

100. Accordingly, the si^t^e ll Tt ^'"-^ 
than one packet. °" "^^ 

span more 
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In a preferred embodiment of the present invention ^ the 
disinfection data 220 sent to the disinfection server 180 
contains data indicative of: the nature of the attack 
detected; how to disinfect the system 150 infected with the 

5 attack; and how to resime normal network connectivity. On 
receipt of the disinfection data 220 from the IDS 170, the 
disinfection server 180 sets about curing the infected system 
150 and restoring the network 100. In another preferred 
embodiment of the present invention, the disinfection data 220 

10 contains only data indicative of the nature of the attack. The 
disinfection server then selects, based the nature of the 
attack, one of a plurality of pre-stored technicjues for 
disinfecting the infected system 150 and/or restoring the 
network 100 and executes the selected technique. The attacks 

15 may take many different forms- Accordingly, the corresponding 
techniques for disinfection and network restoration may vary 
widely from one attack to the next. 

In a preferred embodiment of the present invention, on receipt 
the disinfection data, the disinfection server 180 sends a 

20 warding message to the infected system 150. The warning 

message informs the user of the infected system 150 that his 
or her system 150 is infected. The message may instruct the 
user to run anti-virus software pre-stored in the infected 
system 150 to eliminate or otherwise isolate the infection. 

25 Alternatively, the message may contain disinfection program 
code for eliminating the attack from the infected system 150, 
together with instructions to assist the user in executing the 
disinfection code on the infected system 150. In another 
alternative, the message may direct the user to another web 

30 site, at which appropriate disinfection program code is 
provided. In another preferred embodiment of the present 
invention, the message contains disinfection program code 
that, when loaded into the infected system, executes 
automatically, thus eliminating or otherwise isolating the 

35 infection in a manner which is transparent to the user. Other 
disinfection schemes are possible. 
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In the embodiments of the ore<s««*- • 

described, the disinfect^ "^vention herein before 

/ i-xxe Qisinfection server Ifto i 

Single data processing system su^h as t^tT ""'^ " 
described with reference to ^ig^e T Z ""'^'^ 
S embodiments of the present , However, in other 

"O ma. be i^Plemen:::^ m^T't'"^ disinfection server 
processing systems. Such dTta pro <^ta 
located together in a -fa^^ ^1^^" ""^ «--i»-ted or 
the disinfection server rZ be ^ P^°«ssing system in 

10 different attack. The 10^70 m^ T '° '^"'""^ ^ 
-itiple integrated data prLe'L: f ^^^-'^-^ 
the Z.S 170 and the aisinf ec:i:r::r:e^ 1^ •^"r'""^^^- 
« a Single data processing system. ">tegrated 

180 may be logged and/or discarded "xsxnfectlon server 

180. xn the embodiments o^^rp^esl — r 

described, the IDS 170 B^ l T "erein before 

disinfection server Lo^e^t^T " '""^ 

20 present invention, once an iZZ't±^ f °^ the 

singly instruct the «ut"f Wo L d T"^^' "^^ 
infected system 150 to the iTsinfLtr " 

IDS 170 additionally suppL^rd ^ "° "^""""^ ^he 

disinfection server iso ^rdis". "" "° '° 

« Singly act as a reposit'rTL "^L^^'^.^^^f "° then 
infected system ISO traffic originating in the 

receives fromTh^ i:^ T."' ^scarding traffic it 

trom cne infected system 150 mv,^ -i 
discarding may be reported by Z dis^n^ 

an administrator of the ! '^^^"'*«°t^O'> server 180 to 

30 delivered P^iodicall^ or Trtr:" ^ 

:::::roS:; r^-- - ---ratoi^ro^:.- 

-r e^.-- ^i^r^^LrrLriptrsT""^^^ — 

administrators can take act! °* reports, 

35 otherwise containing^^e Ln^roTtT'^ "'-^-"""^ " 

j-nreccion of the network 100. 
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In the embodiments of the present invention herein before 
described, the IDS 170, router 130, and disinfection server 
180 are implemented by data processing systems programmed with 
appropriate program code. However, it will be appreciated 
5 that, in other embodiments of the present invention, one or 
more of the fiinctions described herein as being implemented in 
. software may be implemented at least partially in hardwired 
logic circuitry. 

It will also be appreciated that the attack detection methods 
10 described herein may be implemented by the service provider 

responsible for the network 100, or at least partially by a 

third party in the form of a service to the service provider. 

Such a service may differentiate the service offered by the 

service provider from the services provided by it competitors. 
15 Such differentiated services may be optionally supplied to end 

users of the network service provided in exchange for an 

additional premium. 
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1. A method for detecting attacks on a data communications 
network having a plurality of addresses for assignment to data 
processing systems in the network, the method coit^rising: 
5 identifying data traffic on the network originating at any 
assigned address and addressed to any unassigned address; 
inspecting any data traffic so identified for data indicative 
of an attack; and, on detection of data indicative of an 
attack, generating am alert signal. 

10 2. A method as claimed in claim 1, wherein the inspecting 
comprises spoofing replies to requests contained in the data 
traffic identified, 

3. A method as claimed in claim 1, comprising, on generation 
of the alert signal, rerouting any data traffic originating at 

15 the address assigned to the data processing system originating 
the data indicative of the attack to a disinfection address on 
the network. 

4. A method as claimed in claim 1, comprising, on generation 
of the alert signal, sending an alert message to the 

20 disinfection address. 

5. A method as claimed in claim 5, wherein the alert message 
comprises data indicative of the attack detected. 

6. A method as claimed in claim 5, comprising, on receipt of 
the alert message, sending a warning message from the 

25 disinfection address to the address assigned to the data 
processing system originating the data indicative of the 
attack. 

7. A method as claimed in claim 6, comprising including in 
the warning message program code for eliminating the attack 
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5 processing systems in the network th! ^==-a™ent to data 

^ intrusion detection sen^r^o r'i:L\^:tta™"^ = 
the network originating at any assigned ada^Ls I^a ::L:L:: 

xo :r::t?::dL^rorra%trgr ^^^^^ - 

r an attack, generating an alert signal, 
aetectlrse" ^" ^^^^^ «■ -"--ein the intrusion 

Mentified "'"""^ """^"^ traffic 

15 10 Apparatus as claimed in claim 8, further con^risino a 
router connecter? t-rx t-i,^ • ^ . ^'^mprismg a 

rerouting ^^ntrusion detection sensor for 

rerouting, in response to generation of the alert si^.1 
data traffic originating at the address assi^eTtol^ daT 
processing system originating the data indica^il of t^e 
20 attack to a disinfection address on the network. 

ditectlT"" " '^'"^ intrusion 

detection sensor, on generation of the aler-e =• 

alert message to the disinfection ad^ess ' ^^"^ ^ 

25 mes./""""" " "'"'""^ '° ^e alert 

25 message comprises data indicative of the attack detected. 

13. Apparatus as claimed in claim 12 eur■^^^^ . . 

iveiT senaxng, on recexpt of the al«»T-t- ™<=.o,« 
a warning message to the address assigned to L^^ta 
30 processing system originating the data indicative^f the 
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14. Apparatus as claimed in claim 13, wherein the warning 
message comprises program code for eliminating the attack when 
executed by the data processing system originating the data 
indicative of the attack. 

5 15. A data communications network conrprising: a plurality of 
addresses for assignment to data processing systems in the 
network; and, apparatus for detecting attacks on the network 
as claimed in any of claims 8 to 14. 

16. A computer program element comprising computer program 
10 code means which, when loaded in a processor of a data 
processing system, configures the processor to perform a 
method for detecting attacks on a data communications network 
as claimed in any of claims 1 to 8. 
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ABSTRACT 

Described is a technique for detecting attacks on a data 
commiinications network having a plurality of addresses for 
assignment to data processing systems in the network. The 
5 technique involves identifying data traffic on the. network 
originating at any assigned address and addressed to any 
unassigned address. Any data traffic so identified is 
inspected for data indicative of an attack. On detection of 
data indicative of an attack, an alert signal is generated. 
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